Webevent v3.3.3 (webevent.pl) is an online calendar which contains a remote cgi vulnerability which allows administrative access.
5496ce9dcc8d0910d984fc7e479e1a67727682f51767ceae31adf5e834118d53
To whom it may concern,
I found what seems to be a bug in a program called webevent
(www.webevent.com). Webevent is a calander program that allows multiple
users to post to, and read the calander. The bug comes in from the fact that
you still have access to the perl file that is run when the administrator
runs the program for the first time. Once you run this perl file, it asks
you to enter in the admin info, e.g name, email, and....password. I've
tested version we3.3.3, i found this version running at www.eosmith.org
(you can access firsttime at
www.eosmith.org/scripts/we3.3.3/webevent.pl?cmd=firsttime (this is used to
change the admin info and pass) and
www.eosmith.org/scripts/we3.3.3/webevent.pl?cmd=login to login. Perhaps
earlier versions have the same problem. One way around this is to simply
delete the firsttime.pl file after you configure webevent. I also wonder if
this is a problem with whether you are using the .cgi extension or .pl
extension....also, since you have access to write events once you get admin,
i am looking into how you write to the server when you create and
submitevents.
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
Share information about yourself, create your own public profile at
http://profiles.msn.com.